"Jimmy Brush" wrote:
> Hello,
>
> I've noticed that a lot of the questions in these newsgroups are either
> directly or indirectly related to UAC (User Account Control). In this post,
> I will go over what UAC does, how it works, the reasoning behind it, how to
> use your computer with UAC on, why you shouldn't turn UAC off, and answer
> some common questions and respond to common complaints about it.
>
>
> * What is UAC and what does it do?
>
> UAC mode (also known as Admin Approval Mode) is a mode of operation that
> (primarily) affects the way administrator accounts work.
>
> When UAC is turned on (which it is by default), you must explicitly give
> permission to any program that wants to use "administrator" powers. Any
> program that tries to use admin powers without your permission will be
> denied access.
>
>
> * How does UAC work
>
> When UAC mode is enabled, every program that you run will be given only
> "standard user" access to the system, even when you are logged in as an
> administrator. There are only 2 ways that a program can be "elevated" to get
> full admin access to the system:
>
> - If it automatically asks you for permission when it starts up, and you
> click Continue
> - If you start the program with permission by right-clicking it, then
> clicking Run As Administrator
>
> A program either starts with STANDARD rights or, if you give permission,
> ADMINISTRATOR rights, and once the program is running it cannot change from
> one to the other.
>
> If a program that you have already started with admin powers starts another
> program, that program will automatically be given admin powers without
> needing your permission. For example, if you start Windows Explorer as
> administrator, and then double-click on a text file, notepad will open and
> display the contents of the text file. Since notepad was opened from the
> admin explorer window, notepad WILL ALSO automatically run WITH admin
> powers, and will not ask for permission.
>
>
> * What's the point of UAC?
>
> UAC is designed to put control of your computer back into your hands,
> instead of at the mercy of the programs running on your computer.
>
> When logged in as an administrator in Windows XP, any program that could
> somehow get itself started could take control of the entire computer without
> you even knowing about it.
>
> With UAC turned on, you must know about and authorize a program in order for
> it to gain admin access to the system, REGARDLESS of how the program got
> there or how it is started.
>
> This is important to all levels of users - from home users to enterprise
> administrators. Being alerted when any program tries to use admin powers and
> being able to unilaterally disallow a program from having such power is a
> VERY powerful ability. No longer is the security of the system tantamount to
> "crossing one's fingers and hoping for the best" - YOU now control your
> system.
>
>
> * How do I effectively use my computer with UAC turned on?
>
> It's easy. Just keep in mind that programs don't have admin access to your
> computer unless you give them permission. Microsoft programs that come with
> Windows Vista that need admin access will always ask for admin permissions
> when you start them. However, most other programs will not.
>
> This will change after Windows Vista is released - all Windows Vista-era
> programs that need admin power will always ask you for it. Until then, you
> will need to run programs that need administrative powers that were not
> designed for Windows Vista "as administrator".
>
> Command-line programs do not automatically ask for permission. Not even the
> built-in ones. You will need to run the command prompt "as administrator" in
> order to run administrative command-line utilities.
>
> Working with files and folders from Windows Explorer can be a real pain when
> you are not working with your own files. When you are needing to work with
> system files, files that you didn't create, or files from another operating
> system, run Windows Explorer "as administrator". In the same vein, ANY
> program that you run that needs access to system files or files that you
> didn't create will need to be ran "as administrator".
>
> If you are going to be working with the control panel for a long time,
> running control.exe "as administrator" will make things less painful - you
> will only be asked for permission once, instead of every time you try to
> change a system-wide setting.
>
> In short:
>
> - Run command prompt as admin when you need to run admin utilities
> - Run setup programs as admin
> - Run programs not designed for Vista as admin if (and only if) they need
> admin access
> - Run Windows Explorer as admin when you need access to files that aren't
> yours or system files
> - Run programs that need access to files that aren't yours or system files
> as admin
> - Run control.exe as admin when changing many settings in the control panel
>
>
> * UAC is annoying, I want to turn it off
>
> Having to go through an extra step (clicking Continue) when opening
> administrative programs is annoying. And it is also very frustrating to run
> a program that needs admin power but doesn't automatically ask you for it
> (you have to right-click these programs and click Run As Administrator for
> them to run correctly).
>
> But, keep in mind that these small inconveniences are insignificant when
> weighed against the benefit: NO PROGRAM can get full access to your system
> without you being informed. The first time the permission dialog pops up and
> it is from some program that you know nothing about or that you do not want
> to have access to your system, you will be very glad that the Cancel button
> was available to you.
>
>
> * Answers to common questions and responses to common criticism
>
> Q: I have anti-virus, a firewall, a spyware-detector, or something similar.
> Why do I need UAC?
>
> A: Detectors can only see known threats. And of all the known threats in
> existence, they only detect the most common of those threats. With UAC
> turned on, *you* control what programs have access to your computer - you
> can stop ALL threats. Detectors are nice, but they're not enough. How many
> people do you know that have detectors of all kinds and yet are still
> infested with programs that they don't want on their computer? Everyone that
> I have ever helped falls into this category.
>
>
> Q: Does UAC replace anti-virus, a firewall, a spyware-detector, or similar
> programs?
>
> A: No. Microsoft recommends that you use a virus scanner and/or other types
> of security software. These types of programs compliment UAC: They will get
> rid of known threats for you. UAC will allow you to stop unknown threats, as
> well as prevent any program that you do not trust from gaining access to
> your computer.
>
>
> Q: I am a system administrator - I have no use for UAC.
>
> A: Really? You don't NEED to know when a program on your computer runs with
> admin powers? You are a system administrator and you really could care less
> when a program runs that has full control of your system, and possibly your
> entire domain? You're joking, right?
>
>
> Q: UAC keeps me from accessing files and folders
>
> A: No, it doesn't - UAC protects you from programs that would try to delete
> or modify system files and folders without your knowledge. If you want a
> program to have full access to the files on your computer, you will need to
> run it as admin. Or as an alternative, if possible, put the files it needs
> access to in a place that all programs have access to - such as your
> documents folder, or any folder under your user folder.
>
>
> Q: UAC stops programs from working correctly
>
> A: If a program needs admin power and it doesn't ask you for permission when
> it starts, you have to give it admin powers by right-clicking it and
> clicking Run As Administrator. Programs should work like they did in XP when
> you use Run As Administrator. If they don't, then this is a bug.
>
>
> Q: UAC keeps me from doing things that I could do in XP
>
> A: This is not the case. Just remember that programs that do not ask for
> permission when they start do not get admin access to your computer. If you
> are using a tool that needs admin access, right-click it and click Run As
> Administrator. It should work exactly as it did in XP. If it does not, then
> this is a bug.
>
>
> Q: UAC is Microsoft's way of controlling my computer and preventing me from
> using it!
>
> A: This is 100% UNTRUE. UAC puts control of your computer IN YOUR HANDS by
> allowing you to prevent unwanted programs from accessing your computer.
> *Everything* that you can do with UAC turned off, you can do with it turned
> on. If this is not the case, then that is a bug.
>
>
> Q: I don't need Windows to hold my freaking hand! I *know* what I've got on
> my computer, and I *know* when programs run! I am logged on as an
> ADMINISTRATOR for a dang reason!
>
> A: I accept the way that you think, and can see the logic, but I don't agree
> with this idea. UAC is putting POWER in your hands by letting you CONTROL
> what runs on your system. But you want to give up this control and allow all
> programs to run willy-nilly. Look, if you want to do this go right ahead,
> you can turn UAC off and things will return to how they worked in XP. But,
> don't be surprised when either 1) You run something by mistake that messes
> up your computer and/or domain, or 2) A program somehow gets on your
> computer that you know nothing about that takes over your computer and/or
> domain, and UAC would have allowed you to have stopped it.
>
>
> - JB
>
> Vista Support FAQ
> http://www.jimmah.com/vista/
>
"Jimmy Brush" wrote:
> ok i understand the benifit to uac but you should have made it so when it
gets permission for a program that you have installed it stops asking every
time you boot up that is why i will stop using it i dont think it built
right yet still needs some work
This is a misconception that many people have.
When a program asks for your permission to run with a UAC prompt, this means
that program is asking for complete and unrestricted access to every part of
your computer. This keeps you in control of what is happening on your
machine.
If you were able to allow access for this program to run, without notifying
you, it would be very easy for a separate, malicious program to gain access
to your computer by 'piggybacking' on this programs unrestricted access.
At this point, it would no longer be 'your' computer.
--
Ronnie Vernon
Microsoft MVP
Windows Shell/User
If another application launches the trusted application, Ronnie, the user can
be notified that this is the case. The hijack can then be allowed or denied by
the user. Further, if the CRC of the trusted application changes, the user can
be notified that's so, and if there is no reason it should have changed it can
be
forbidden to run by the user. Maybe this is rocket science, but if Sygate could
accomplish it with their firewall, then I suppose Microsoft could accomplish it
with their UAC. It was simpler to put more of a burden on the user - showing
a lack of consideration for the user meant less coding effort. They chose.
1. The user is frustrated with this method, because:
a. Doesn't understand why three prompts must be answered to delete a
file in the Programs(x86) folder.
b. No useful information is provided in any of the prompts as to what is
really being done that requires permission.
e.g. "A change to the Programs(x86) folder has been initiated by
program xxx."
"Program xxx is attempting to create a directory under
C:\Users\UserName."
Instead we get something like, "Administrator priveledges are
required for this function. Do you wish to continue?"
What function?
2. End result:
a. "Of course I want to Continue." Click
3. All that MS has done is protect themselves by giving themselves the
ability to state, "You were warned by a prompt that 'something' was
happening and you clicked 'continue.' It's not our fault."
I've stated this before:
Put UAC on your car's ignition switch.
When you select Start, you get a prompt on the Speedometer glass,
"Owner's permission required to continue. Do you wish to continue?"
And you can feel safe that your car can never be used without your
permission by those nefarious individuals out there.
"Ronnie Vernon MVP" <r...@invalid.org> wrote in message
news:C654FD2B-E84E-4A1E...@microsoft.com...
If you are seeing more than 1 prompt for an action, these are not all coming
from UAC. You are probably seeing an 'access denied' prompt first which is
comes from the 'Shell' because of the permissions that are set on the
destination folder/file.
You can click the Details button on the UAC prompt that shows the action is
being initiated.
You can also bypass the UAC prompt, depending on your use of the program. If
this is an application that you are using constantly, you can create a
Scheduled Task to start the program. Set it to start with certain triggers,
such as at boot time or...., and set it to run with highest privileges.
Your example of starting the car is a good one, but you forget that you have
already proven ownership and given permission when you insert the proper
key. This would only be a good example if every car was equipped with a
toggle switch instead of a unique key. :)
--
Ronnie Vernon
Microsoft MVP
Windows Shell/User
"Mark" <jmho...@nospam.insightbb.com> wrote in message
news:eCRQVtnQ...@TK2MSFTNGP04.phx.gbl...
The other details are excellent information, but my point was regarding the
"typical frustrated user."
"Ronnie Vernon MVP" <r...@invalid.org> wrote in message
news:436500E4-7DE0-4118...@microsoft.com...
Tell you what helps: make your account an Administrator (don't worry, it
still runs as a normal user), and set up UAC so you don't have to enter your
password.
That way you just need a single click to dismiss the UAC prompt, and -
provided you are the sole user of your PC - there is no loss of security.
Personally I'm quite glad when Windows warns me that something with security
implications is about to happen.
So:
1/ UAC prompts warn you of possible security risks, so are A GOOD THING
2/ They occur quite rarely, and just need a simple mouse click to dismiss
So what on earth is all the fuss and moaning about?
SteveT
"Ronnie Vernon MVP" <r...@invalid.org> wrote in message
news:436500E4-7DE0-4118...@microsoft.com...
--
- JB
Microsoft MVP Windows Shell/User
"Michael Jennings" <meta...@gmail.com> wrote in message
news:OfUL$ZnQIH...@TK2MSFTNGP05.phx.gbl...
I would agree that UAC is frustrating (in some circumstances more than
others), and your analogy is correct in the context of living, breathing
users. Whoever is operating the computer while logged in is in control.
Instead, UAC is there to protect users from programs ... it's there to
insure that the programs that are requesting admin power from the user are
doing so at the request of the user.
--
- JB
Microsoft MVP Windows Shell/User
"Mark" <jmho...@nospam.insightbb.com> wrote in message
news:B9058E0E-957B-46A2...@microsoft.com...
"Jimmy Brush" <j...@mvps.org> wrote in message
news:BFAE3C64-297F-4E12...@microsoft.com...
> Windows can't tell with any accuracy "if another application" is launching the
> application. That's why all the separation between admin vs. non-admin is
> necessary (UIPI, integrity levels, etc). Things that are running on a user's
> desktop can interact and intermingle to such a point that it isn't really
> possible to say "i know that process A, uninfluenced by any other process, is
> launching this trusted app at the user's request". That's why UAC is
> necessary, and why it is so important not to allow exceptions.
>
> "Michael Jennings" <meta...@gmail.com> wrote in message
> news:OfUL$ZnQIH...@TK2MSFTNGP05.phx.gbl...
>> If another application launches the trusted application, Ronnie, the user can
>> be notified that this is the case. The hijack can then be allowed or denied
>> by
>> the user. Further, if the CRC of the trusted application changes, the user
>> can
>> be notified that's so, and if there is no reason it should have changed it
>> can be
>> forbidden to run by the user. Maybe this is rocket science, but if Sygate
>> could
>> accomplish it with their firewall, then I suppose Microsoft could accomplish
>> it
>> with their UAC. It was simpler to put more of a burden on the user - showing
>> a lack of consideration for the user meant less coding effort. They chose.
>>
>> "Ronnie Vernon MVP" <r...@invalid.org> wrote in message
>> news:C654FD2B-E84E-4A1E...@microsoft.com...
There's a certain logic to that, but if that's the way
you view your software - as "requesting admin power
from the user", then you probably need to reassess
what you're installing. I have all sorts of programs
installed. In all cases, I want the software to do whatever
it "thinks" is necessary. It's a tool in my service. If I
didn't feel that way I wouldn't keep the software!
In the meantime, I want Windows to be a software
*platform*, not a decision maker.
There's nothing wrong with running under very high
security, especially if you're in a vulnerable network
scenario, but to tell others that they *should* do
as you do borders on religion.
All it is doing is enforcing what you are doing. If you are starting a
program that is requesting admin access, you are expected to click continue
:). The only time there is a bit of "warning guidance" is when the program
being launched is unsigned, in which case the OS cannot guarantee that the
program that you are lauching hasn't been replaced by some malware when it
gets executed.
UAC is protecting you when either a program would launch that you did not
start, and you click cancel, or you notice a different looking prompt for a
program that you expected to prompt (a normal signed prompt vs. an unsigned
prompt, for example), and you click cancel.
This certainly does not stop you from running malware, it just stops stuff
from running that you did not start. UAC allows other really cool things to
work, like programs isolated into seperate privilege levels on your desktop,
and it also works in conjunction with other more traditional security
products to create multiple levels of security.
And for what it's worth, I could care less if others do as I do ... I would
just like people to really understand what UAC is doing before they decide
to turn it off :).
--
- JB
Microsoft MVP Windows Shell/User
"mayayana" <mayaXX...@mindXXspring.com> wrote in message
news:ugrAU%23FRIH...@TK2MSFTNGP06.phx.gbl...
--
- JB
Microsoft MVP Windows Shell/User
"Michael Jennings" <meta...@gmail.com> wrote in message
news:%23Wplc0F...@TK2MSFTNGP04.phx.gbl...
Those are decisions made by Windows without
my approval. I clicked an icon. That tells Windows
"run this program". I didn't ask it to ask me for
confirmation ... I don't want to hear about Microsoft's
"digital signature" scam ... I don't want to be reminded
that my crash helmet chin strap should be tightened
before proceeding ... I just want to run the darn
software! I'll worry about the malware, Thank-You-Very-Much.
If Microsoft wants to help prevent malware infections,
they could create one nag that would actually help:
Put a big red button on
Internet Explorer. Clicking the button would show a message
that says, "You are about to enable scripting. Are you sure
you want to do that? You should only enable scripting
when absolutely necessary." Then, even if scripting is
enabled, it will be disabled at the next website.
And of course, the setting to disable that nag will
be hidden somewhere like:
HKLM\Software\Microsoft\Internet Options_
IExplorer\JScriptWarningOptions\Security_
ToolBarButton\DisableJSCriptWarningToolbarButton
Then setting the value DisableJSCriptWarningToolbarButton
to the DWORD avalue of 16439 will return control of
browser scripting to the user. :)
My only points were that UAC does in fact guarantee with a high degree of
certainty that only the programs you run will have admin access to your box,
and by using digital signatures UAC can even guarantee that the program that
you are about to elevate is in fact the program the prompt says it as, and
without UAC you have absolutely no control over what runs with elevated
privilege and what doesn't (everything runs with elevated privilege,
assuming of course you are logged in as an admin).
--
- JB
Microsoft MVP Windows Shell/User
"mayayana" <mayaXX...@mindXXspring.com> wrote in message
news:uupiq0NR...@TK2MSFTNGP05.phx.gbl...
This is a common misconception people have :).
I think this is the main reason people have a hard time grasping UAC, is
because they believe this to be true, and at first glance it does seem like
this would be something obvious the computer should be able to do without
any problems.
Unfortunately, it isn't ... Windows does not know that you are the one
starting a program even if you double-click on it in explorer. That is
exactly why UAC prompts you, to ascertain this.
If this could be done without a prompt, it would be very cool indeed, and
then the only prompt that would be needed would be the case where the
program is unsigned.
However, this is a much bigger technical problem than it appears at first
glance.
Indeed. Rube Goldberg would be pleased to have you as
an apprentice.
I don't want to scare you unduly, but how
do you know it's Windows showing you that UAC prompt,
and not one of your famously ubiquitous malware programs
hooking the mouse input? Hopefully in SP2 Microsoft will
start taking security seriously and offer a retina scan
confirmation using external hardware. In the meantime
it might be best if we all try to keep our clicking to a
minimum. :)
Clicking a fake continue button on a fake UAC prompt does not increase the
privilege level.
--
- JB
Microsoft MVP Windows Shell/User
"mayayana" <mayaXX...@mindXXspring.com> wrote in message
news:um3uxVP...@TK2MSFTNGP06.phx.gbl...
--
A Professional Amateur...If anyone knew it all, none of would be here!
CarGod...@hotmail.com
Change Alpha to Numeric to reply
"Steffer" <Ste...@discussions.microsoft.com> wrote in message
news:733766B8-6EFD-4D51...@microsoft.com...
--
~Alex T~
.:~A.K.A. Makaveli213~:.
.:MVP Windows Shell/User:.
"Steffer" <Ste...@discussions.microsoft.com> wrote in message
news:733766B8-6EFD-4D51...@microsoft.com...
"Alan Simpson" wrote:
> Well said Jimmy. But just a couple minor additions. Using a computer in a
> limited account for day-to-day stuff has been a security "best practice" for
> many years, and totally ignored outside the corporate environment for just
> as many years. Basically Vista makes that practice security best practice
> automatic and as painless as possible by letting you temporarily elevate
> on-the-fly on an as-needed basis.
>
> Also, for home users, there's a tie-in to parental controls here. From a
> password-protected administrative account you can set parental controls on
> children's standard accounts and monitor their computer and Internet use.
> The kids can't get to any of that from their standard accounts (without an
> administrative password). So they can't tamper with any of that.
>
>
> "Jimmy Brush" <Jimmy...@discussions.microsoft.com> wrote in message
> news:3DD0CEBA-1550-486F...@microsoft.com...
This is a fallacy! If UAC cannot notify the user that a program is trying to
gain global access to the system, then it is effectively 'disabled'. This so
called 'quite mode' setting just changes a UAC registry setting to
'automatically elevate everything without prompting'. This means that when
you click to open a file, it is 'assumed' that you already know that the
file will have unrestricted access to your computer.
The main thing that UAC does is to detect when a program or application
tries to access restricted parts of the system or registry that requires
administrator privileges. When a program does this, UAC will prompt the user
for administrative elevation. Without this prompt, UAC cannot warn the user,
which means that it is effectively disabled.
Some people will tell you that using "quiet mode" will still let IE run in
protected mode, but this just isn't true. Without the UAC prompt, a
malicious file that runs from a website can run, without restrictions, and
silently.
Another issue is that with UAC prompt disabled, some legitimate procedures
will just silently fail to work properly, with no notification, if you are
logged on with a Standard User account, since the application cannot notify
you that administrative privileges are required.
Even the developer of the TweakUAC utility includes this statement about his
product.
"if you are an experienced user and have some understanding of how to manage
your Windows settings properly, you can safely use the quiet mode of UAC."
In my opinion, if you are an experienced user, the last thing you would want
to do is turn off the UAC notification.
If you 'are' an experienced user, then you would already know how to
temporarily bypass the UAC prompt to perform just about any procedure in
Vista, such as running programs from an elevated command prompt, or using an
elevated instance of windows explorer.
The last problem I have with this so-called 'quiet mode' is that it
dissuades developers from programming their applications to run in a least
user privilege environment.
--
Ronnie Vernon
Microsoft MVP
Windows Desktop Experience
Personally, when I decide to run something I don't have a need to be asked
to confirm it. If I didn't want to run it I would not have clicked on it in
the first place.
The bottom line is UAC does no more than protect the user from himself, and
even that still requires the user to be knowledgeable.
"Ronnie Vernon MVP" <r...@invalid.org> wrote in
messagenews:3F04A9A8-EC21-412D...@microsoft.com...
Sorry, Bob, but I agree with Ronnie. The so-called "quiet" mode is nothing
more than disabling the built-in warning system. UAC actually works.
Troubleshooting my nephew's pc over the weekend, set in "quiet" mode, I
found a worm and three everyday ordinary virus hits. Apparently, after
tweaking the UAC, the worm disabled the AV enough to allow a virus to
auto-install, three different times, in just under a month.
His excuse? Clicking the little box when he installed a couple games was too
annoying.
<inline>
"Bob" <b...@nowhere.net> wrote in message
news:8MOdnY5hI8aWaHva...@comcast.com...
> Ronnie
> Even with the prompt enabled it still requires the user to be
> knowledgeable of the application UAC is prompting about. Once elevation is
> allowed UAC does not protect the user. Clicking allow becomes nothing more
> than an annoying additional click which in many cases becomes automatic.
It it only annoying until you run into something unexpected. Right after
Vista was first released, we went through all of the debates about users
getting to the point where clicking on the prompt became an 'automatic'
response.
One user told us about a utility that he downloaded and installed and he got
the expected 'security warning' about the file not having a digital
signature. He clicked to run the file anyway and the utility installed. He
then got a message to 'click here' to configure your personal settings. He
then received this prompt.
http://i196.photobucket.com/albums/aa86/rvmv/UACPrompt2.jpg
Without UAC, he never would have been aware of the second file being
installed, since he had already permitted the program to run. Needless to
say, he decided that he would leave UAC on.
> Additionally, the most common way a PC becomes infected is by downloading
> something from the net and even with the UAC prompts disabled you still
> receive a security warning when you attempt a download.
Only in specific instances, such as an installation file that does not have
a digital signature attached. The security warning does nothing to protect
against 'drive-by' downloads that run automatically. Most of the smaller
software developers will not bother with a digital signature, simply because
it is time consuming and expensive for them.
>
> Personally, when I decide to run something I don't have a need to be asked
> to confirm it. If I didn't want to run it I would not have clicked on it
> in the first place.
It's not about you deciding to run a program, it's about 'isolation', it's
about 'integrity levels', it's about what background actions the program
will take when you do run it. Have you ever wondered why an application,
that does nothing more than make images look better, needs full and
unrestricted access to every part of your computer?
>
> The bottom line is UAC does no more than protect the user from himself,
> and even that still requires the user to be knowledgeable.
This is the whole point of UAC. The only way that a malicious program can be
installed is if the user gets complacent and stops paying attention to what
they are doing.
When Vista is first installed, a user will typically see a ton of UAC
prompts as they install all of their software programs and utilities, but
these will gradually become more rare. Windows has to overcome almost twenty
years of being a 'push button' operating system before it will attain any
semblance of a 'secure' operating system. The education of users as well as
developers will take some time. UAC and other security 'hardening'
procedures are not going to 'go away'.
When the majority of developers see the benefits, and start following the
Microsoft developer guidelines for coding their programs and applications to
run in a 'least user privilege' environment, UAC will become a prompt that
is rarely seen. The vast majority of windows software should not even need
to initiate a UAC prompt.
Take a few minutes to read the following article. It will give you a better
understanding, and show you the underlying reasons and goals of UAC.
The Long-Term Impact of User Account Control:
http://technet.microsoft.com/en-us/magazine/cc137811.aspx
I had previously read the article.
The quote that stands out to me is "UAC does not, nor is it intended to,
stop malware"
In the example you give the user would have received a prompt even if UAC
was disabled providing he was running Windows Defender.
"If potentially harmful software tries to run or install itself on your
computer, Windows Defender notifies you and helps you choose how to take
action."
Re: "Have you ever wondered why an application,
that does nothing more than make images look better, needs full and
unrestricted access to every part of your computer?"
I don't know why you say that. I run Photoshop Elements and afaik it doesn't
need unrestricted access to every part of my computer.
"Ronnie Vernon MVP" <r...@invalid.org> wrote in message
news:D4168639-4396-4757...@microsoft.com...
That's correct, the primary job for UAC is to allow a user to run with a
Standard User (Limited User in XP) token and still have the capability to
elevate a program or procedure with administrator privileges on demand.
However, as a side benefit, if you get an unexpected UAC prompt, this can
warn you that a process you did not start is trying to access a restricted
part of the OS.
> In the example you give the user would have received a prompt even if UAC
> was disabled providing he was running Windows Defender.
> "If potentially harmful software tries to run or install itself on your
> computer, Windows Defender notifies you and helps you choose how to take
> action."
Windows Defender can only stop 'known' malware. It checks a database that is
updated often when a new threat is discovered. Defender is not an anti-virus
program.
Neither Defender nor UAC are designed to replace a good anti-virus program.
> Re: "Have you ever wondered why an application,
> that does nothing more than make images look better, needs full and
> unrestricted access to every part of your computer?"
>
> I don't know why you say that. I run Photoshop Elements and afaik it
> doesn't need unrestricted access to every part of my computer.
This is because photoshop elements is probably designed to work properly, or
the part of the program that requires admin privileges has been Virtualized
by UAC. I have even heard of word processors that get a UAC prompt when they
are started.
" Windows Defender can only stop 'known' malware. It checks a database that
is updated often when a new threat is discovered. Defender is not an
anti-virus program.
Neither Defender nor UAC are designed to replace a good anti-virus program."
"Ronnie Vernon MVP" <r...@invalid.org> wrote in message
news:AF812511-4163-400C...@microsoft.com...
> I've noticed that a lot of the questions in these newsgroups are either
> directly or indirectly related to UAC (User Account Control). In this post,
> I will go over what UAC does, how it works, the reasoning behind it, how to
> use your computer with UAC on, why you shouldn't turn UAC off, and answer
> some common questions and respond to common complaints about it.
>
>> * UAC is annoying, I want to turn it off
>
> Having to go through an extra step (clicking Continue) when opening
> administrative programs is annoying. And it is also very frustrating to run
> a program that needs admin power but doesn't automatically ask you for it
> (you have to right-click these programs and click Run As Administrator for
> them to run correctly).
>
> But, keep in mind that these small inconveniences are insignificant when
> weighed against the benefit: NO PROGRAM can get full access to your system
> without you being informed. The first time the permission dialog pops up and
> it is from some program that you know nothing about or that you do not want
> to have access to your system, you will be very glad that the Cancel button
> was available to you.
>
> - JB
>
> Vista Support FAQ
> http://www.jimmah.com/vista/
I think I missed the answer to the question, "UAC is annoying how do I turn
it off?" I am doing a copy and replace, small directories, which are each
located with in separate .zip files that I need to copy and replace from My
Documents to another drive. Having to do 6 to 8 mouse clicks for each of two
dozen directories is NOT FUN. Again, How do I turn it off?
Run Regedit and navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
Change the value of ConsentPromptBehaviorAdmin from "2" to "0".
-------
*Report back, please*
[When responding to posts, please include the post(s) you are replying to so
that others may learn and benefit from the issue]
[How to ask a question]
http://support.microsoft.com/kb/555375
"ScottK" <Sco...@discussions.microsoft.com> wrote in message
news:2BBBEF2D-7936-421E...@microsoft.com...
<snip>
> Having to do 6 to 8 mouse clicks for each of two dozen directories is NOT FUN.
> Again, How do I turn it off?
Give it some time and be a little bit more patient. The mouse clicking
frequency will lessen eventually.
1. Do not work in elevated level; Day-to-day work should be
performed while the User Account Control (UAC) is enabled. Turning
off UAC reduces the security of your computer and may expose you to
increased risk from malicious software.
2. Familiarize yourself with "Services Hardening in Windows Vista".
3. Keep your operating (OS) system (and all software on it)
updated/patched.
4. Reconsider the usage of IE.
5. Review your installed 3rd party software applications/utilities;
Remove clutter.
6. Don't expose services to public networks.
7. Activate the build-in firewall and tack together its advanced
configuration settings.
7a.If on high-speed internet use a router as well.
8. Routinely practice safe-hex.
9. Regularly back-up data/files.
10.Familiarize yourself with crash recovery tools and with
re-installing your operating system (OS).
11.Utilize a real-time anti-virus application and vital system
monitoring utilities/applications.
12.Keep abreast of the latest developments - Sh!t happens...you know.
The least preferred defenses are:
Myriads of popular anti-whatever applications and staying ignorant.
Peez of pith, really :-)
"Jimmy Brush" wrote:
> Hello,
>
> I've noticed that a lot of the questions in these newsgroups are either
> directly or indirectly related to UAC (User Account Control). In this post,
> I will go over what UAC does, how it works, the reasoning behind it, how to
> use your computer with UAC on, why you shouldn't turn UAC off, and answer
> some common questions and respond to common complaints about it.
>
>
> * UAC is annoying, I want to turn it off
>
> Having to go through an extra step (clicking Continue) when opening
> administrative programs is annoying. And it is also very frustrating to run
> a program that needs admin power but doesn't automatically ask you for it
> (you have to right-click these programs and click Run As Administrator for
> them to run correctly).
>
> But, keep in mind that these small inconveniences are insignificant when
> weighed against the benefit: NO PROGRAM can get full access to your system
> without you being informed. The first time the permission dialog pops up and
> it is from some program that you know nothing about or that you do not want
> to have access to your system, you will be very glad that the Cancel button
> was available to you.
>
>
The rest are good information sources.
http://www.petri.co.il/disable_uac_in_windows_vista.htm
http://technet.microsoft.com/en-us/windowsvista/aa906022.aspx
http://windowshelp.microsoft.com/windows/en-us/help/f941cb45-b2cd-4b39-ab87-cb9ea959f44e1033.mspx
http://technet.microsoft.com/en-us/windowsvista/aa905108.aspx
http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/default.aspx
Extremely detailed
"Aaron Martinez" <Aaron Mart...@discussions.microsoft.com> wrote in message news:B63EEABD-22A8-41D9...@microsoft.com...
Here is what you should do. You should contact the vendor and get an
updated version of the program, because it is INCORRECTLY WRITTEN.
It breaks the XP programming guidelines. Yes, I said the *XP* guidelines,
which were published years ago.
XP was lax and let such programs run anyway. Vista polices those guidelines
much more rigidly, for security reasons.
If you insist on turning off UAC, simply type 'vista turn off uac' into
Google! I've done it for you - here is the best link:
...(watch the line break)
SteveT
The convention with Unix / Linux has always been to have one admin -
"Root" and everyone else as users.
Generally it's been the opposite with Windows.
Unfortunately Vista does not "Explain" that as the "Owner" or
"Installer" of the system you are really only a privileged "User". The
impressions is that you are "Special" because in the past you always were.
With Linux it has been convention for years that running as "Root" is a
bad thing, and the more sophisticated the software you are using
(Graphical User Interface for example) the more dangerous that would be
because quite simply there's more chance of a bug letting bad things happen.
So to do anything with older Linux you would sign out as "Ernst" and
back in as "Root". Normally neither "Ernst" nor malware could do much to
damage the system.
Later versions allow "Ernst" to use the command "SUDO" (or similar) to
temporarily gain admin rights (Root) for one specific task or groups of
tasks.
With Windows the convention has been the wrong way around, and this is a
kind of "Legacy" carried on by the users who expect to always have
total control at all times. Unfortunately this also gives a bad guy at
your desktop, a bad guy with a remote terminal or bad software the same
control.
So although I think UAC is a clumsy and sometimes annoying way of trying
to persuade people to do it the right way, it is an advisory tool that
has some merit. It is NOT per-se increased security if you are silly and
let things you are unaware of do what they ask, any more than the Linux
method is "Security" if you become "Root" and let unknown software take
actions it requests.
In some circumstances signing in as "Root" might be acceptable, in your
case it probably was, but with the amount of malware, spyware and stuff
targeting Windows these days most users who were running as full admin
were in danger.
>Charlie, Thank you for this extensive respons. Yes I understand what you are
>saying, but this was already clear to me from the earlier part of the thread.
>I also agree with the principal behind it. I have worked for many years with
>firewalls like ZoneAlarm and Comodo that use a similar principal: Ask the
>user what program is allowed access (the computer or the internet). However,
>these firewalls have never stopped me from doing the work that I need doing
>on my PC. UAC is.
I stopped reading at this point (it would have been a lot easier to
continue reading if you had used paragraphing).
If UAC is interferring, you have two choices:
1) download and run TweakUAC which will force UAC to run in "silent
mode" and will greatly reduce the prompts you get. It will still
permit IE to run in "protected mode".
2) disable UAC entirely.
Vista hides and disables the actual most privileged account to make it
harder
for users to take that lazy and less secure option. It creates the
"Administrator"
account so the administrator can get most of the access he or she needs with
an "Admin Approval Mode" feature. This way, people who feel they need to
be admin all the time can do so without severely reducing security as long
as
they don't get too clickhappy - because "Administrator" is actually running
with user privileges until elevated by answering prompts.
Making an easy way to circumvent the feature is equivalent to completely
defeating it because malware can do almost whatever the user can do. In
fact, firewall application's abilities in this respect could be used by
malware
to the detriment of real security while adding to false security.
UAC is pretty annoying at first, but I hardly ever get prompted any more.
I suppose if you routinely have to execute strange and/or badly written
programs, you could reestablish the most privileged user account and
have your computer as secure as Windows 98. UAC seems to be aimed
at reducing the fertile breeding ground for malware created by average users
running with the brain-dead default settings Microsoft traditionally used to
get that smooth out-of-the-box experience. They wanted to get people
comfortable with computers. It's time to make the internet a safer place,
if that means average users have to adopt better practices (enforced by
UAC) then I say it is a "good thing". If you are a good netizen, and you
know what you are doing, then maybe UAC isn't for you. There *is* a way,
I think, to re-enable the real administrator and display it as an option on
the
logon screen but I don't recall where I got this notion.
It sounds like the root (pun intended) of your problem is permissions. The
UAC prompt is one of the symptoms, not the problem. Even though the UAC
prompt is annoying unless you're very comfortable with the command prompt
it's best to leave it on when dealing with permissions. Windows Explorer is
made to work with UAC. With UAC off changing permissions via the GUI
(Windows Explorer) may not work as you expect it to. Some things may fail
because the process doesn't get elevated. You may want to temporarily enable
the real "Administrator" account, fix the problem logged on with that
account, then disable it again.
http://support.microsoft.com/kb/555910
Alternatively you can do this by typing commands in an elevated command
prompt.
You will probably also want to read up on "junctions". It sounds like you
may have inadvertently created some junctions.
http://www.google.com/search?hl=en&q=vista+junctions+site%3Amicrosoft.com&meta=
The easiest way may be to create a new user account then copy whatever files
you can to this account. Once you're sure you've got the data delete the old
account and the messed up directories.
--
Kerry Brown
Microsoft MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/
The 'real' admin-account may show me more of what is actually happening.
The junctions are indeed new to me, I'll read up on it.
And yes, if I all else fails, maybe copying to a new account may help (if I
get permission to do so :-).
Thanks for taking my problem seriously.
Ernst
Mike Ober.
"Ernst" <Er...@discussions.microsoft.com> wrote in message
news:7ABC1D88-874F-41A7...@microsoft.com...
Mike.
"Ernst" <Er...@discussions.microsoft.com> wrote in message
news:9DE2698B-A8EC-4581...@microsoft.com...
Let me know
--
luckylindy
"Alan Simpson" wrote:
> Well said Jimmy. But just a couple minor additions. Using a computer in a
> limited account for day-to-day stuff has been a security "best practice" for
> many years, and totally ignored outside the corporate environment for just
> as many years. Basically Vista makes that practice security best practice
> automatic and as painless as possible by letting you temporarily elevate
> on-the-fly on an as-needed basis.
>
> Also, for home users, there's a tie-in to parental controls here. From a
> password-protected administrative account you can set parental controls on
> children's standard accounts and monitor their computer and Internet use.
> The kids can't get to any of that from their standard accounts (without an
> administrative password). So they can't tamper with any of that.
>
>
> "Jimmy Brush" <Jimmy...@discussions.microsoft.com> wrote in message
> news:3DD0CEBA-1550-486F...@microsoft.com...
> > want a program to have full access to the files on your computer, you will
> > need to run it as admin. Or as an alternative, if possible, put the files
> > it needs access to in a place that all programs have access to - such as
> > your documents folder, or any folder under your user folder.
> >
> >
> > Q: UAC stops programs from working correctly
> >
> > A: If a program needs admin power and it doesn't ask you for permission
> > when it starts, you have to give it admin powers by right-clicking it and
"Chad Harris" wrote:
> In addition to Jimmy's always extremely well written answers, I would
> encourage everyone to read carefully ***what's on the UAC team blog as well
> as the Vista Security blog** and the blogs of the people who aren't on the
> UAC team, but are on other Vista teams at MSFT, and contribute to its blog
> regularly. On one of my other posts I put extensive links explaining UAC
> features. Following those two blogs will make your life with Vista and its
> security (whichever form it finally takes much easier):
>
> UAC Team Blog--Read posts from the archives--they are screenshot in detail;
> Scroll Down; Click on the Archives and previous recent dates.
> http://blogs.msdn.com/uac/
>
> http://blogs.msdn.com/uac/archive/2006/01/22/516066.aspx
>
> Also read the comments on the blog; they are full of tips.
>
> Check out the Windows Vista Security Blog
> http://blogs.msdn.com/windowsvistasecurity/
>
> Security Integrity Team Blog
> http://blogs.msdn.com/si_team/
>
> Antimalware Team Blog
> http://blogs.technet.com/antimalware/
>
> UAC Team Beta Vista Chats:
>
> 6/22/06
> http://windowsconnected.com/forums/70/ShowForum.aspx
>
> 9/28/05
> http://windowsconnected.com/forums/thread/2846.aspx
>
> and also check out these discussions:
>
> O'Reilly Dev Center: UAC Overview
> http://www.windowsdevcenter.com/pub/a/windows/2006/04/04/uac-in-windows-vista.html
>
> Technet UAC Overview
> http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx
>
> UAC What's New in Beta 2?
> http://blogs.msdn.com/uac/archive/2006/06/21/641713.aspx
>
> UAC Articles Technet
> http://www.microsoft.com/technet/windowsvista/security/uac.mspx
>
> UAC Application Webcast
> http://blogs.msdn.com/uac/archive/2006/06/26/647384.aspx
>
> Q&A with UAC Vista PM Chris Corio
> http://windowsconnected.com/blogs/joshs_blog/archive/2006/01/21/558.aspx
>
> UAC Gone Wild (Not to be confused with Girls Gone Wild who can't decide how
> to wear their T-Shirts)
> http://techrepublic.com.com/5100-10877-6089415.html
>
>
> Enjoy.
>
> CH
>
>
>
>
> "Dennis Pack x64, v64B2 (5384), OPP2007B2" <denni...@nospamhotmail.com>
> wrote in message news:183A189F-4EB9-4790...@microsoft.com...
> > Jimmy:
> > Thanks for the excellent description and operation of UAC
> > explanation.
Camper
"Richard" <Ric...@discussions.microsoft.com> wrote in message
news:252884B6-2D45-4D52...@microsoft.com...